dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
ce7aee9b · Alex Converse · 3e13005c · ce7aee9b
Commit ce7aee9b authored Feb 17, 2012 by Alex Converse
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

dpcm.c libavcodec/dpcm.c +6 -1

No files found.
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -183,6 +183,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
    int stereo = s->channels - 1;
    int16_t *output_samples;

+    if (stereo && (buf_size & 1)) {
+        buf_size--;
+        buf_end--;
+    }
+
    /* calculate output size */
    switch(avctx->codec->id) {
    case CODEC_ID_ROQ_DPCM:
@@ -317,7 +322,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
    *got_frame_ptr   = 1;
    *(AVFrame *)data = s->frame;

-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id_, name_, long_name_)                \